Crunchyroll confirms data breach after hacker claims unauthorized access

Anime streaming work Crunchyroll has confirmed a information breach involving lawsuit work summons accusation pursuing an incidental with a third-party vendor, aft a hacker claimed to person accessed idiosyncratic information and interior systems.

The streaming site, which Sony acquired from AT&T successful 2020 for $1.18 billion, operates arsenic a associated task betwixt U.S.-based Sony Pictures Entertainment and Japan-based Aniplex. Crunchyroll has much than 2,000 titles successful implicit 12 languages and serves 15 cardinal subscribers worldwide, per its website.

Reports of a menace histrion claiming entree to Crunchyroll idiosyncratic information surfaced online this week, with a hacker alleging that they obtained information astir millions of users.

Crunchyroll said it is investigating the claims.

“Our probe is ongoing, and we proceed to enactment with starring cybersecurity experts,” the institution said successful a connection to TechCrunch, adding that it has not identified grounds of ongoing unauthorized access.

Separately, materials shared with TechCrunch by a cybersecurity-focused account, International Cyber Digest, bespeak the attacker whitethorn person gained entree to Crunchyroll’s Zendesk enactment system. Screenshots we person seen look to amusement the company’s interior Slack messages and stolen enactment data, seemingly stolen by hacking an worker astatine Telus Digital, an outsourcing elephantine that handles lawsuit enactment for Crunchyroll. The hacker allegedly stole lawsuit enactment summons information until aboriginal 2025, astatine which constituent their entree was revoked.

The cybersecurity relationship said the hack was abstracted from a caller breach affecting Telus Digital, which the institution confirmed past week.

Crunchyroll did not respond to a follow-up question astir whether the third-party vendor relates to its enactment partner, Telus Digital.

Telus Digital did not respond to requests for comments.

The hacker told BleepingComputer they had downloaded astir 8 cardinal enactment summons records from Crunchyroll’s systems, including astir 6.8 cardinal unsocial email addresses, though the claims person not been independently verified. The hacker besides told the work they gained entree connected March 12 aft compromising an Okta azygous sign-on relationship belonging to a Crunchyroll enactment agent.